Is there a reason the JavaScript onChange event is prohibited by ModSecurity?
Our test environment recently got an Apache upgrade that apparently added some ModSecurity rules, one of which flags previously functioning JavaScript as an XSS attack:
[05/May/2014:15:37:29 --0500] [xxx.bigmachines.com/sid#xxx][rid#xxx][/commerce/buyside/document.jsp][1] Access denied with code 403 (phase 2). Pattern match "\\bonchange\\b\\W*?\\=" at ARGS:sfActiveServices. [file "/usr/local/apache2/conf/setup/modsecurity/modsecurity_crs_41_xss_attacks.conf"] [line "137"] [id "958406"] [rev "2"] [msg "Cross-site Scripting (XSS) Attack"] [data "Matched Data: onchange= found within ARGS:sfActiveServices: <select style=\x22overflow-x:scroll; size=10; overflow:-moz-scrollbars-horizontal;\x22 name=\x22usid\x22 style=\x22background-color:white;\x22 onchange=\x22getselectedvalue()\x22><option value=\x22\x22 selected=\x22selected\x22>select a service</option><option value=\x2240225553\x22>40742660 collocation - special request service id: (16-1 & 16-14) iad</option><option value=\x2240225564\x22>40742672 data center space charges - p service id: coloc..."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]